Project Risk Management

and

Risk Appetite

 

By

 

Yin-Chia Hung

 

 

 

Dissertation submitted in partial fulfilment for the of Degree of Master  of Science in Msc

 

Yin-Chia Hung

WMG University of Warwick

 

Submitted month, year

 

For completion by Moderators:

QA procedures complete; passed to Exam Board

 

Signed:                                                                              Date: 

Declaration

I have read and understood the rules on cheating, plagiarism and appropriate referencing as outlined in my handbook and I declare that the work contained in this assignment is my own, unless otherwise acknowledged.

No substantial part of the work submitted here has also been submitted by me in other assessments for this or previous degree courses, and I acknowledge that if this has been done an appropriate reduction in the mark I might otherwise have received will be made.

 

Signed candidate   YIN-CHIA HUNG

 

You are required to justify your submitted thesis against the degree definition for which you are registered.  This needs to be downloaded and pasted into the box below.

 

Project definition for my degree   A suitable project should relate to, or be applicable to, the management of projects or programmes. Topics can include methods, methodologies, tools, processes, human factors, multi-project scenarios, collaborative projects, in-company applications, or new product or service introduction. The application or research can be in any industry, including but not restricted to, engineering, service industry or IT     My project relates to this definition in the following way:

 

This section should also be deleted before submission:

 

Below are some approaches that you could take to do this but others may be equally acceptable.

• indicate how this project will help if you gained employment in the area covered by the definition
• Show how the thesis contributes to the general understanding of the area covered by the above definition
• Show how the outcomes of your work would help others gain a deeper or new understanding in the area show in the definition.

In most cases referring to other people’s published material would not be sufficient to justify your work.  You should concentrate on what you have contributed or achieved

 

This declaration should be limited to no more than ONE page

Project Submission Pro-Forma

 

(to be bound in front of the submitted Dissertation)

 

NAME:            YIN- CHIA HUNG

 

Student ID:      1157552

 

I wish the dissertation to be considered for (tick one only)

 

MSc in Cybersecurity & Management                                                                                                  q

MSc in e-Business Management                                                                                                            q

MSc in Engineering Business Management                                                                         q

MSc in Engineering Business Management for Defence & Security                               q

MSc in Enterprise Integration Management                                                                      q

MSc in Innovation & Entrepreneurship                                                                               q

MSc in International Technology Management                                                                 q

MSc in Management for Business Excellence                                                                     q

MSc in Manufacturing Systems Engineering                                                                       q

MSc in Process Business Management                                                                                q

MSc in Programme & Project Management                                                                       þ

MSc in Supply Chain & Logistics Management                                                                   q

 

I have checked that my modules meet the requirements of the above award                          q

 

I confirm that I have included in my dissertation:

 

An abstract of the work completed                                                                        þ

A declaration of my contribution to the work and its suitability for the degree       þ

A table of contents                                                                                                 þ

A list of figures & tables (if applicable)                                                                q

A glossary of terms (where appropriate)                                                             q

A clear statement of my project objectives                                                            þ

A full reference list                                                                                                 þ

 

 

I am willing for my marked dissertation to be used for staff training purposes           q

 

Signed: YIN- CHIA HUNG                                                     Date: ……………….. 

Abstract

 

The recent financial crisis has evoked interest in regulation of bank risks in general and of market risks in particular. Heavy losses on trading portfolios incurred by some of the largest banks in Taiwan and across the globe have elicited deficiencies in their internal models and processes for managing market risks. Currently, in Taiwan and other nations, banks are searching for new ways of expanding their underwriting capacities and managing their risk exposures.

Project risk management is the art of and science of recognising, analysing and responding to risk all through a project’s life cycle and in the best interest of meeting project objectives. A frequently overlooked aspect of project management, risk management can often result in a significant contribution to the success of projects. Risk management can have a positive effect on selecting projects, identifying the projects’ scope, and making practical schedules and costs estimates. It helps project stakeholders appreciate the form of the project, engages team members in defining strengths and weaknesses. Project risk management also helps to integrate the other project management knowledge areas. When risk management is effective, it results in fewer problems, and for the few problems that exist, it results in more expeditious resolutions.

Other features associated with the risk appetite include the thought that an appetite will normally relate to a range of possible outcomes. Therefore, around the risk appetite there is normally a given zone of risk exposure or level for the risk that is within appetite. This may be referred to as risk tolerance range for exposure to that risk. The aim of developing risk management strategy is to establish a framework on the basis of which effective risk management procedures can be set. The other aim is to determine how risk management can be embedded in regular project management activities.

While assessing the impacts of Project Risk Management and Risk Appetite in E.Sun and SinoPac Banks, two research questions were formed to act as a guide. The first objective was to carry out a critical assessment of the benefits of a formal risk management in the Banking Industry taking E.Sun and SinoPac Banks as case studies. The second objective was to determine the impact of risk appetite on business conduct under the current economic circumstances taking the two banks as case studies. The research objective was to understand how risk appetite and tolerance influence decision making in Banking Industry. This was achieved by contrasting and comparing regular delivery projects with financial investment projects. Referring to the nature of research topic and the ease in getting information, the researcher considered it crucial to approach the research from a qualitative research paradigm. In that case, the research was conducted in an inductive approach using E.Sun and SinoPac Bank as case studies and data was collected from various sources. Data was collected mainly from secondary sources.

Nonetheless, the research outcomes make it possible to deduce effective project risk management strategies that have assisted E.Sun Bank and SinoPac Bank in their risk management.

Table of Contents

1. Chapter One: Introduction
2. Chapter Two: Literature Review

2.1 Project Risk

2.1.1 Risk Appetite

2.1.2 Project Risk Management

2.2 Importance of Risk Management

2.3 Project Risk Management Process:

2.3.1 Risk identification

2.3.2 Risk assessment

2.3.3 Risk quantification

2.3.4 Risk response planning

2.3.5 Risk monitoring and control

2.4 Why it is necessary for risk management iteration in the project life cycle

2.5 Enterprise Risk Management

2.5.1 Office of Government Commerce

3. Chapter Three: Research Methodology

3.1 Research Philosophy

3.2 Research Approach

3.3 Data Collection

3.4 Qualitative vs. Quantitative

3.5 Research Strategy

3.6 Research Method

3.7 Validity and Reliability of Results

3.8 Research Plan

3.8.1 Research Plan and Time Frame

4. Case Studies Analysis E.Sun Bank &SinoPac Bank (approx. 3200 Words)

4.1 Research Question 1: What are the benefits of a formal risk management in the Banking Industry?

4.1.1 Results& Findings

4.2 Research Question2: What is the impact of risk appetite on business conduct under the current economic circumstances?

4.2.1 Results& Findings

5. Summary, Conclusion& Recommendations

References 

1. Chapter One Introduction

Due to complexities intrinsic in the global business environment and the competitive environment in the Banking industry, most financial organisations and banks are exposed to various risks.  Some of the risks are controllable by Banks, and there are others which are behold the control of the financial institutions. These risks and uncertainty are believed to have a significant effect on the operations of the financial institutions. Claessens 2004 asserts that the efficiency of a bank’s project risk management is directly proportional to the maturity of its risk management practices. He further emphasises the extent to which the risks have been efficiently integrated into the projects it implements (Claessens, 2004). In Claessens (2004) definition, integration means whether risk management activities are well defined and described in the project life cycle. It additionally refers to whether the activities happen regularly, as an element of project management processes.

Dent (2009) defines Project risk management as a process that ought to commence from project inception, and go on until the project is finished and its anticipated benefits realised. Basri (2008) and Dent (2009) further states that project risk management provides a holistic view of project risks identifies potential problems. Project risk management also builds processes to assist the service provider monitor and manage the risks.

Risk appetite is the level of risk that a company chooses to take based on the company-specific capability and assets available to absorb the risk (Basri, 2008 and Dent, 2009). Graham (2008) states that companies are well advised to consider what risks are acceptable to the company, and a suitable guidance to be followed throughout the organisation. There is no single correct way to fix the level of risk appetite or risk tolerance of a company (Graham, 2008). Grace and Robert (2003) state that smaller companies or organisations have less risk appetites compared to larger organisations or companies. This is because larger organisations are able to absorb the downside consequences of taking extra risks compared to smaller organisations (Claessens 2004). The level of risk appetite for a bank depends on how the bank operates the chosen strategy and the organisational culture; all interlinked (Graham, 2008).

As a subject of considerable concern, as emphasised by Yildirim and Philippatos (2007), risk management entails the identification process, evaluation and risks prioritisation and then successively followed by coordination and economical application of the existing resources so as to reduce, monitor and control the outcomes of the unfortunate events.

Research findings reveal that E.Sun and SinoPac Banks’ risk management strategies have been improving since the onset of the global financial crisis (Hoggarth et al., 2005). However, the possibility for a national bank crises and bank failure appear to be real over the short term. This situation as stated by Grace and Robert (2003) can be devastating not only to Taiwan but also to European economy in particular and global economy in general. This view is true despite the turn that the current financial crisis takes in some major economies like the US and therefore, the evaluation of the Taiwan banks’ risk management techniques is significant (Hoggarth et al., 2005).

In the short term, the Taiwan banking sector’s raising of the interest rates by the prime banks is received with mixed signal as a mitigation measure for the poor performance and creditworthiness (Lepetit and Tarazi, 2008). With the shock posed by the presence of other risks, the banking sector is prone to be forced out of its strong operational position as a result of the many structural adjustments that have been effected over the last few years (Baltensperger, 2002).

Claessens (2004) asserts that the Taiwan banking industry is concerned about risk management. All banks are searching for ways to control risk so that they can provide better services to their customers and decrease their risk exposures. Traditionally risk management has been the area where underwriters, lawyers and quantitative analysts have been employed (Lepetit and Tarazi, 2008). Their jobs were to put in place and implement policies that would protect investors, customers and business. As the banks look for new ways to increase their profits, they have to modify their risk policies. This dissertation seeks to identify the risks in the banking sector in Taiwan and establish risk management techniques that will ensure that possibilities of occurrence of such a crisis are minimised.

Research Aim and Objectives

The main aim of this research is to determine how risk appetite and tolerance influence the organisation when it comes up to decision making taking E.Sun and SinoPac Banks as case studies. The research further compares and contrasts risk appetite in regular delivery projects with financial investment projects. To achieve the research aims, the scenario in Taiwan’s banking sector was closely scrutinised to explore the risk management techniques used in E.Sun Bank.

The objectives of the paper are the following:

1. To determine how risk appetite and tolerance influences the banking Industry when it comes to decision making taking E.Sun and SinoPac Banks both in Taiwan as case studies. The risk-preferences of managers were investigated to measure bank risk efficiency and its components.  Examining managerial risk-preferences lead to a determination of whether the bank is risk-neutral, risk-averse, or risk-loving.  The vital role of financial capital is highlighted as a tool employed by bank managers in managing and controlling their banks’ risk of failure.
2. To contrast and compare risk appetite in regular delivery projects with financial investment projects. In addition, liquidity regulatory measures and supervision was examined closely, and its significance emphasised as it is the case with the capital regulation. This will then encourage more focused regular, supervision of both E.Sun and SinoPac Banks’ liquidity status and test of their risk management techniques. Establishment of a core funding ratio that will create assurance of sustained funding of the individual banks’ was considered.

• The research further seeks to identify the benefits of formal risk management in the Banking Industry. In so doing, the research seeks to analyse the impact of risk appetite on business conduct under the current economic circumstances.

Significance of the Study

As stated by Blue and Jeremy (2009), the Banking industry is characterised as one that looks to maximise profitability and minimise financial risk. Banks are not in the business to lose money.  Banks are by nature exposed to a number of risks: credit risk, interest rate risk, liquidity risk, foreign exchange risk and general market risk. Risk management is a central issue for banks (Aliber, 2005).

 

• The paper is meant to pave the way in providing alternative ways in which the E.Sun and SinoPac Banks and other Taiwan banks can take to tackle the challenges posed by the financial instability and risks.
• This research assists in identifying the risk and management techniques will provide practical ways in which banks can take advantage of the powers availed.
• The research further helps in identifying the use of the special powers to assist the banks out of the distressed status in a manner that mitigates the effect on the nations’ economy and the functioning of the entire financial system. In doing so, the dissertation will draw the banks’ attention to the prevalent risks identified in the research and challenge their management to implement the recommendations made so as to avoid their recurrence.
• Recurrent studies in the area of risk management in E.Sun and SinoPac Banks offer a chance for intensive assessment of risks by banks inducing informed measures and initiatives for risk reduction and avoidance. In addition, the study will actively assist in strengthening the operation of the financial intermediary operators by having them understand the perceived risks and learn how to work with the banks in managing them. Further, the paper will be a means to remind the other financial institutions to maintain due diligence in their daily operations, particularly in the core payments, lending and in the basic systems that support their precise existence. This would initiate a sustainable system within Taiwan and other nation’s banking sectors that would in effect support the international financial system (Blue et al, 2009).

For bank managers, the results of achieving these objectives will improve their performance by identifying “best practices” and “worst practices” associated with high and low measures efficiency and risks.  Best practice risk management tools in attaining bank efficiency will be outlined (Santomero, 1995). The research is thus essential for both banks in Taiwan and other nations.

Organisation of the Research

This analysis begins with a statement of the aims and objectives.  A review of related literature is presented in chapter two.  The available literature in the Taiwan banking industry has dealt with the issue of rapid growth while the question of risk exposure and response to it has been looked on fleetingly.  Different types of risks faced by both E.Sun and SinoPac Banks are discussed. The section also discusses the initial conditions and the quality of banking institutions.  Conclusion summarised the literature review.

Chapter three details the methodology used in data collection. The research heavily relies on secondary materials.

The fourth chapter describes the result and discussion of the findings.

Chapter five presents a summary of data and the results, conclusions, and policy recommendations.

2. Chapter Two: Literature Review

This section spells out the findings of the secondary research that was carried out for this study. The findings are drawn from different scholarly works and are presented as facts. It is significant to note that this section covers different general subtopics that pertain to project risk management. Also, it is essential to note that this section will look into project risk management from the context of the banking industry because the entire study is based on a case study of a bank.

2.1 Project risk

According to Cooper et al. (2005), the term risk is the chance of something happening that will have an impact upon objectives, which is measured in terms of consequences and likelihood.  Rescher (1983) stated that project risk exist in three different categories that include; unstated yet incorrect assumptions, unknown things and omissions and errors. Unstated yet incorrect assumptions is a risk category that is potentially devastating, for example developing a software on a platform of a single language and later in the project development it is noted that to achieve maximum performance it is important to include other languages into the software. In the risk category of errors and omissions, these occur because of incorrect specifications, estimation mistakes and overlooked features. These risks are at times considered mundane but they have a high propensity of negatively affecting the outcome of a project.

Hillson (2007) notes that in the basic description of project risk; there are two key elements, which are usually factored in; they include condition i.e. the situation, circumstance or a set up that causes uncertainty. The second element is consequence i.e. what is/are the possible outcome of the current condition.

Summarily, Heldman (2005) argues that project risk has numerous definitions based on the different context or practice area that it may be applied, while Risk management is part of everyday life and it is practiced in managing major construction projects, organisations or simply whilst a pedestrian is crossing the road. It is however, important to acknowledge that risk management practitioners, consultants and even scholarly work mainly specify or specialize on a certain set of practice areas of risk, which include; economic risk, human factors risk, financial risk, health risk, security risk, environmental risk, societal risk, business risk and information and communication technology risk.

Each of these risk practice areas is widely discussed and broad in their individual context. Since this present dissertation will include the banking industry as its case example, it is pertinent to discuss financial risk. Financial investments are also perceived as projects and Cokelyet al. (2012) notes that they are seen as projects because they involve works that are organised carefully and designed to achieve a particular aim which vary depending on the field of the financial investment. For example the banking business is a project that involves provision of various products and services that aim at protecting customers’ deposits, offering loans and other additional services such as safe custody. Secondly, investment banking business is a project that involves buying and selling shares and stocks with the main aim of generating a substantial return for the customer.

Specifically, Hopkin (2012) notes that in the financial market there exist three different types of risks that include; operational risk, credit risk or market risk.

Market risk has been described by Saunders (1999) as the possibility of an investor incurring loss in his or her trading operations at the financial market due to moves in market factors.  There are mainly four market risk factors that include; currency risk i.e. risk that foreign exchanges rates will fall. Equity risk is a risk in the fall of stock prices while commodity risk is the risk of a fall in prices of commodities such as gold or oil. Lastly interest rate risk which is the risk that interest rates will change and erode returns (Siems, 1996).

According to Tysiac (2012) credit risk also known as risk of default on the repayment of debt, is in the financial markets described as risk that affects trading operations when an investor fails to take up securities he or she had initially bought or takes up the delivery and fails to pay at settlement of a derivative contract.

 

Operational risks in the financial market are described by Scholes (1972) as the risks that originate from players in the market and the entire process at the financial market.  Mistakes by brokers and even fraudulent activities by them amount to operational risk, in addition factors such as technological, failures, poor management, errors in financial reporting, rogue trading i.e. brokers making personal gains from funds of investors and lack of control and accountability all amount to operational risk in the financial market.

2.1.1 Risk appetite

Kendrick (2003) in his studies described risk appetite as the willingness of a project manager or organisation to take on risk. A high risk appetite infers that the project manager or the business organisation is ready to take on more risk in pursuit of the set goals, and low risk appetite infers that the project manager or the business organisation is not ready to take on big risks.  It is critical to consider the concept of risk appetite before commencing risk management since it is vital in the effective setting and implementation of risk management measures.

The concept of risk appetite is analysed from different angles, for example when looking at the concept from a threats angle it considers the extent of exposure that is perceived as justifiable should the threat become a reality. From a threat angle, risk appetite compares the cost of risk prevention to the cost of exposure should the threat become a reality and finding a justifiable balance (Dirk, 2008).

While looking at the concept of risk appetite from an opportunities angle; risk appetite considers to what extent a project manager is willing to risk so as to attain the maximum potential/ benefit of the project. From this angle, risk appetite compares the actual value of the returns of the project to the losses which might have been accrued (Wideman, 1992).

In construction projects a constructor will be deemed to have high risk appetite if he/ she undertake a construction project along a coastline that is prone to various threats such as rise of water/ sea level, earthquakes or flooding. However, such a project offers high return since properties along the coastline are considered attractive and they fetch high market prices. In financial investment, investors with high risk appetite usually take up shares and equities that are highly risky but are usually deemed to be highly rewarding.  However, it is important to note that some risks are unavoidable and at times an organisation cannot effectively manage to reduce the risk to a tolerable level, an example of such a risk is terrorism (Dirk, 2008).

2.1.2 Project risk management

Referring to the studies conducted by Van et al (2004) project risk management has been defined as a process of identifying, assessing and prioritising risk, this is the process of identifying, assessing and prioritising risk, this is then subsequently followed by coordinating and economically applying resources in a bid to reduce, supervise and manage the probability or the effect of unforeseen occurrences.

In the financial management context, risk management has been defined by Tapiero (2004) as the understanding and communicating of the identified risk, so as to ensure that the identified risk is given the wide attention it deserves.

Project risk management adopts different strategies that mainly aim at reducing the impact of an identified risk or reducing the probability of a certain risk occurring; eliminating the identified risk; transferring the risk to another party within the project or, even some avoidable consequences of an identified risk.

In the banking context, credit risk is the most common, because of high number of cases of loan defaults by customers that lead to ‘bad debts’ being written off; this subsequently has the potential of making the entire bank collapse due to inability to honour customers’ right of payment on demand. This can lead to a spiral effect, which has the potential of crippling the entire banking system of a country. Usually the risk management strategy that is commonly applicable in the banking system is setting of a minimum capital requirement which will control and limit a bank’s lending and credit creation ability (James, 2003).

 

It is critical to note that the International Organisation for Standardisation (ISO) has set principles and guidelines that all risk management mechanisms should follow. These principles and mechanisms include; transparency; flexibility; inclusiveness; responsive to changes within; form the decision making process of an organisation; capacity to deliver continued enhancement and improvement within an organisation; periodically readjusted; factor in human issues; ability to create value for the organisation and also form an integral part of organisational processes (Keller et al., 2006). These principles and guidelines are reflected in all properly structured and developed risk management plans.

 

2.2 Importance of risk management

 

Referring to the studies conducted by Hillson and Murray-Webster (2007) risk appetite and tolerance are usually high among ambitious individuals and aggressive business organisations, these traits among this set of people is backed up by their “go-get” attitude. This is due to the common phenomenon that the higher the risk the more returns or rewards a venture is supposed to generate. This, therefore, means that individuals, as well as business organisations, will always be ready to undertake high levels of risk with the expectation of remarkable outcomes or handsome returns (Hallenbeck, 2006). However, in the likelihood of unforeseen circumstances the aforesaid individual or business organisation may suffer massive losses in the case that the venture is marred with unavoidable circumstances or events that hinder the realisation of the expected outcomes. It is due to this fact that James (2003) wrote that a wise investor will always factor in the risk factor in any venture that he or she undertakes and adopts necessary measures or strategies that will foresee the investments made are less impaired or totally safe from the identified risk. Thus, the main importance of risk management is to safeguard against unnecessary losses that can be accrued due to lack of implementation of mitigation measures.

Secondly, in any business undertaking or project there are usually numerous stakeholders who have pulled together their individual resources so as to invest in the single project and in order to get the investors’ confidence it is usually critical to implement a risk management mechanism, which will guarantee the capital security of the investing parties. Siems (1996) stated that as a part of any business plan it is usually crucial to spell out the potential risk of the project and how well the proposing party is ready to handle the risk identified. This is usually meant to gain the trust of the prospective investor by making an assurance that the money invested into the project is safe, and chances of making losses are minimal.

The process of risk management can be used to evaluate different investment options, so as to establish the best option that offers a considerable degree of risk with a highly excessive return (Hallenbeck, 2006). Through analysis, investors can look into different options gauging them on their level of risk, mitigation tactics and the likely outcomes, the result of this analysis will then influence the investment decision (Moteff, 2005).

 

Implementation of a proper risk management mechanism will ensure the attainment of projected sales level or successful completion of a project. This further guarantees that the project will generate adequate cash flow throughout the entire period thus enabling the attainment of the stipulated short term and long-term objectives.

 

Proper risk management strategies can identify to a business organisation when to invest in a particular line of business, which has less risk at the time and high returns, and also when to pull out or reduce investments in that particular line of business. This gives the business organisation an opportunity to take advantage of a seasonal business environment, which can at times have a high risk and low returns in a particular period, and vice versa (Hutto, 2009). For example through a proper risk management strategy a hotel business will be able to know when to pump in more capital into the business (during tourism peak season), and when to reduce investment by lowering the staff number or other operational expenses. This prevents the hotel from incurring losses during the low peak seasons.

Mostly in building construction projects and financial investments, risk management influences the decision-making process and also how different stages of the projects can be approached. This is because risk management will highlight on certain settings, conditions or environment which have high propensity of creating uncertainty or negative outcome. Relying on this information decision makers change how they normally approach things so as to avoid triggering situations that generate a negative outcome for the project.

According to the writings by Gorrod (2004) it is vital to note that among the significance of implementing risk management strategies in projects or in business ventures is to satisfy the set criteria which are required before certain undertakings are adopted; the potential risks should have been identified as well as their mitigation tactics. At times, risk management is adopted so as to ensure a project or a business venture does not in any way violate certain rules or standards that can jeopardize the position of the project (Borodzicz, 2005). For example, for banking institutions they have to establish risk management strategies that will ensure their clients are able to honour their loan repayment schedule on time, which will further guarantee them a steady cash flow that will enable them to pay for the normal operational costs and also honour customers’ cheques, as well as payment demands for their deposits (Hallenbeck, 2006).  By securing a steady cash flow, the banks are able to maintain the minimum capital requirement that is stipulated by the Central Bank. In case, a bank ignores to set a comprehensive risk management strategy, it exposes itself to various disadvantages such as loan defaults by the customer and in order to cover for the shortfall they will have to lower their minimal capital requirement at the central bank, which is a violation of the minimal capital requirement law and also an infringement of the agreement of the Basel Committee that prescribed on the minimal capital requirements for all banks internationally.

Lam (2003) lauded that the Basel regulations have aided in customer protection and in order to ensure strict compliance of these regulations, the UK government ensures that banks provide evidence of strict compliance to these requirements so as to get government tenders and also to participate in major businesses. The Sarbox regulations (derived from the United States’ Sarbanes-Oxley Act of 2002) which require that public companies, their management and also accounting firms adopt enhanced reporting standards for financial statements has also helped increase investors’ confidence in corporate financial statements. The UK government highly emphasise on the implementation of these key regulations in all major commercial enterprises because they are highly effective risk management measures that accrue a lot of benefits to the firms as well as the customers.

2.3 Project Risk Management Process

Referring to the studies conducted by Tapiero (2004), project risk management is a process that follows five distinct steps that begin with identification of risks then assessment of the risk, quantification of the risk identified, followed by risk response planning and lastly, monitoring and controlling the identified risk.

2.3.1 Risk identification

This is the initial stage of risk management, and events are identified, which if triggered, will lead to considerable damage or loss. The identification process is two ways it can either identify the problem itself or the source of the problem. When identifying a risk from the source point, it is critical to acknowledge that the source can either be internal or external to the organisation and these may include; the surrounding climatic condition, the organisation’s workforce or stakeholders of the organisation or project. When identifying risk as the problem itself, this entails identifying the underlying threats such as loss of capital investment, mishandling of vital and confidential information or threats arising from opposing groups or legal actions (Van et al. 2004).

In reference to the studies completed by Rendlemen, (1999) there are various methods of risk identification and key among them include; common risk checking in a particular industry, which is identifying list of a business organisation from a list that is already available and contains risks common in the pertinent industry. The second methodology of identifying risk is through taxonomy-based risk identification whereby risks are identified from feedback of filled questionnaires (Hillson and Murray-Webster, 2007). In the taxonomy-based risk identification methodology, similar questionnaires are distributed to numerous participants and they are each asked to classify risks in all the different practice areas. The classified risks in each questionnaire are then compiled to identify the most common risks in all the practice areas of the financial sector.  Thirdly, there is scenario-based risk identification whereby different scenarios are created, and in case a certain event leads to unintended scenario, than that event is identified as risk (Hillson and Murray-Webster, 2007). Fourthly, there is the brainstorming methodology, which is mostly used by start-ups or in scenarios that are new and do not have already identified set of risks. Through brainstorming workshops, participants bring forth likely risks, which are then debated upon by others and if they jointly agreed upon then it is listed as a risk. The fifth and also the most common methodology of risk identification is objective-based risk identification which denote an event as risk if hinders the attainment of the set project or organisational goals.

Stoneburner et al. (2002) stated that the methodology of risk charting is the most comprehensive and reliable since it integrates all of the above methods. Risk charting can be done using different approaches, but commonly it is done by listing resources that are at risks then the threats to the resources and factors that can either catapult or lower the risk levels. Alternatively, the threats can be assessed first and then resources that are likely to be affected and the consequence of each identified risk. For example in financial investment; the customer or fund manager may identify risk through risk charting by first enlisting possible scenarios that may cause a drop in value of share price such as bankruptcy law suit against a bank, death of a key management official and enactment of government regulations that is unfavourable for the normal operations of the bank (Hillson and Murray-Webster, 2007). After enlisting the threat and possible scenarios that may cause, the next step is to identify the impact of the fall in the value of share price, which might be the bank going under receivership, customers clearing their accounts or investors dropping their share holdings of the bank.

2.3.2 Risk assessment

Once risks are identified they are analysed to establish the extent of their impact and the chances of occurring. The extent of the impact of the risk can be easily measured in the case of a collapsed building or loss arising from the exchange rate, but in other instances, it is usually impossible to measure.

Risk assessment is usually conducted to ascertain the viability of a particular investment option; for example, a more risky investment is not advisable for a risk averse investor. In projects such as building construction, risk assessment mainly entails evaluating whether the construction projects can be successfully completed, whether the building can withstand harsh conditions such as flooding or earthquakes and also if they are likely to be a high number of interested tenants of occupants of the building under construction. However, it is pertinent to note that the riskier an investment is the more returns or rewards it is likely to gain in the markets, this according to Moteff (2005).

Risk assessment is also used by the management team to predict on a company’s future performance. For example, if the levels of risk pertaining to liquidity, operational or credit, are minimal the management will be right to assume that the business will survive even in the future.

Lenders whom are referred to as buyers in the financial market do use risk assessment reports before investing in listed companies, so as to evaluate whether the company is likely to repay their investment or not. According to Gorrod (2004), risk assessment is also another way through which companies can carry out stock valuation and predict price movements in the future.  Through risk assessment, companies can implement necessary measures to mitigate the effects of such risks and in the long run lure more investors to invest in the company’s stocks and shares.

However, according to the studies conducted by Flyvbjerg (2006) it is rather difficult to assess risks such as geopolitical risk or economic risk as these risks are out of the control of the financial market and hence neither can they be controlled or measured.  Political and economic risks happen at unexpected times, which could be due to various reasons that include natural calamity like the floods or earthquakes, terrorism scare or attacks and even economic meltdown or recessions.  Consequently such risks are hard to measure, but necessary steps have to be adopted to mitigate their effects.

2.3.3 Risk quantification

Altemeyer (2004) stated that risk quantification is a process whereby risk is measured or described as a quantity, and currently there are various theories and formulas that try to quantify risk but the most commonly applied is the composite risk index, which is obtained by multiplying the probability of risk occurrence and the impact of risk event.  Both variables are presented on a scale of 1 to 5, and a smaller number represents either low chances of occurrence or low severity of the impact of the risk occurring and a higher number on the scale represents either higher chances of occurrence or maximum severity of the impact of the event. It is, however, of the essence to note that quantification of risk is limited and usually different techniques of quantification apply in different fields or contexts.

 

For example, Borodzicz (2005) stated that there are two generally applied and comprehensive techniques for measuring risks at the stock market that can also be applied at the general business field, and they include; the standard deviation method and the co-efficient variation method.  The standard deviation method measures the dispersion from the mean or expected cash flow; it is always prudent to incorporate the risk premium rate to arrive at the rate that it is to be used i.e. risk premium rate will be added to the risk free rate to get a composite rate that can be used to discount future cash flows, significant to note is that the higher the standard deviation the riskier the stock is assumed to be.  The co-efficient of variation is a relative measure of risk because it considers the risk against the expected cash flow it is used to compare stocks of unequal values, the higher the co-efficient of variation the higher risk of the project.

With regards to the stock market, Jensen (2009) stated that investors can use the historical volatility of interest rates to measure its risk, and there is also other comprehensive ways of which this can be measured, and it involves using mathematical models to forecast interest rates scenarios.  Credit risk is easily measured from the credit rating agencies that give credit rates to companies and their stocks.  Liquidity risk can be assessed using the bid-offer spread, the less the spread is the less risky the stock is and when the spread is long the more risky the stock is (Lintner, 2005).

Operational risk can be calculated using three different approaches that include; standardized approach, basic indicator approach and the advanced measurement approach. Both the standardised and basic approach assesses capital requirements based on revenues while the advanced measurement technique uses risk measurement techniques which have been established by the industry.

 

Other example of risk quantification in project management are given by Kruger et al. (2012) who stated that in a construction project the risk of a building falling or a fence falling is quantified by adding up the total amount used to put up the fence or the building i.e. material used plus the labour fee for workers contracted.  In health, risk is quantified by adding up the total number of people who will be affected, the total cost of treating each of them, and also the productive hours lost by the patients while they were suffering from the health risk. Security risk such as burglary is quantified by adding up the value of the goods that will be stolen, value of the damage to property, cost of re-constructing the damaged property and harm or loss of any human life during the burglary.

 

The key element of risk-based frameworks for allocating resources is that starting point is risk not rules. Risk-based frameworks require regulators to begin by identifying the risk that it is seeking to manage, not the rules it has to enforce. It is the business’s risk appetite that determines which risks to treat or tolerate. Based on the identified risk universe, the organization then determines its risk appetite through input from senior management, the board, and the business owners. Tolerance levels must be defined for a period of time that takes into account the loss of funds, functions, or the ability to deliver services to the market. It is from here that the company determines whether the risk is significant in terms of its appetite or not.

 

2.3.4 Risk response planning

 

After performing the three steps, the next stage is drawing up a mitigation plan for the risk so as to reduce its chances of occurring, the impact of the risk and if possible total elimination of the identified risk. Alternatively, Alexander and Sheedy (2005) stated the if the three options are not viable then the risk can be transferred to another party through outsourcing the affected business process or the organisation can as well acknowledge the chances of occurrence and the impact of the risk and the factor it on its budget or future plans.

 

In the writings by Bent et al. (2003) they are quoted saying that risk avoidance is the most effective solutions for all risks but without taking any risk then, an investor or business organisation should not expect any profit. Risk avoidance is usually done by not carrying out certain activities that might trigger risk from occurring. According to BebchTaiwan 2008, risk reduction is done through adopting certain strategies that reduce the impact and probability of occurrence of risk. For example, performing proper electrical wiring and installing fire extinguishers within a building will reduce the chances of fire outbreak and also the extent of damage in case a fire outbreak occurs. With regards, to risk sharing Roehrig (2006) stated that risk can be shared through outsourcing or insurance whereby the third parties, which are business process outsourcing centres and insurance companies, will both share in gains as well as a burden of loss with the business organisation. With regards to risks that cannot be shared or transferred; they are simply retained and at times, it could be because of cost of insurance against the risk which is much higher than possible losses that can be accrued in the event of risk occurring.

 

2.3.5 Risk monitoring and control

After the implementation, of the risk response plan; the subsequent step monitors the efficiency and performance of the risk management mechanism. This stage will actually check whether the response plan that has been implemented lowers the probability of the risk occurring and also whether if the risk occurs the severity of the impact will be much lower or not. If inefficiencies are noted within the response plan, then control measures are undertaken so as to obtain maximum performance of the risk response plan.

 

Covello and Allen (1988) noted that the initial risk response and planning is usually never adequate for risks being faced and more so risk that will be faced in the future. Therefore, risk monitoring and control should be frequently reviewed so as to ascertain whether the initially implemented risk control measures are achieving the desired results or not. Secondly, to examine any changes of risk level within the environment and this is usually common with information risk whose level changes immediately there is new information.

2.4 Why it is necessary for risk management iteration in the project life cycle

In an ever evolving environment where nothing seems to stay constant, and there are always new trends cropping up it is totally unconventional to maintain a risk management strategy for more than a year or two without reviewing the plan and making necessary amendments. Specifically, in project management there are different cycles which call for different risk management strategies, and hence in project life cycle, risk management strategies are usually reviewed and updated regularly. Considering different contexts, the review of risk management plan may be facilitated by; a) introduction of new laws, b) amendments of existing laws, c) introduction of new products and services, d) difference in the way work is done i.e. from manual to use of information technology, e) climate change, f) introduction of new personnel into the project, g) change of the objectives of a project and h) change of source of finance or amount of resources allocated or required for the project. These new issues cropping up according to Hillson and Murray-Webster (2007) will undoubtedly influence or change the source of the problem, as well as the problem itself, and expectedly the strategies of risk mitigations will have to be reviewed in order to factor in the new severity of the risk and well as the probability of occurrence.

Keller et al., (2006) in their studies documented on iterative risk management framework to articulate options in a project that are bound to be affected by climate change. In their studies, they presented the below illustrative figure which demonstrates on the iterative nature of the climate policy process. The figure shows two quarters where decisions are made, and the other two quarters represent the decrease in severity of the impact of the risk and reduction in the probability of occurrence for the risk. The arrows around the circle represent a range of outcomes and decisions that undertaken during a project life cycle.

Source; http://www.ipcc.ch/publications_and_data/ar4/wg3/en/figure-3-37.html

 

From the figure, it can well be summarized that the iterative risk management framework has two key stages in each project life cycle whereby the existing environment is observed to identify changes and their impact on the project. The change could be on the surrounding weather pattern or the demographics of the pertinent population. The second stage after learning environment is to act on the risk management plan and then implement the changes learnt to the measures that had earlier been adopted for managing risks. This process as stated by Gorrod (2004) is repetitive, and it is usually conducted in intervals that depend on the type of the project and also the concerned environment for example social, political, technological or economic environment Gorrod (2004). The iterative risk management plan is beneficial from the sense that new sources of problems, as well as problems, are factored into the plan, and even new ways of risk mitigation are factored into the ever evolving plan. Additionally, with an iterative risk management plan the risk mitigation measures are always up-to-date and ready to tackle any new challenge arising (Cooper, 2010).

 

Referring to the studies conducted by Bent et al. (2003) they gave case based examples of iterative risk management plan in projects of different fields. For example in a construction project, there is usually a risk management plan pertaining to the health and safety of the workers, and in regards to this plan usually recommends that all workers within the site to wear gloves and a construction helmet. However, in case there is change in construction equipment/ materials or the existing laws that govern construction projects that now require all workers to be issued with protective eye glasses, the iterative risk management plan will have to factor in these changes. The adoption of this measure will protect workers against any harmful danger on their eyes that may arise as a mishap of the material used or the equipment. Alternatively, as stated by Gorrod (2004), the issuance of the protective eye glasses to the work force will be to protect the project from being shut down by the authorities due to failure of implementing the new law that requires all workers in a construction site to be issued with protective eye glasses.

 

According to Dorfman (2007) the most iterative risk management plan is in farming projects, which is necessitated by the ever changing and unpredictable weather patterns.  For example, an iterative risk management plan against heavy rainfall is usually revised when weather forecast predicts low rainfall levels in the future, the measure adopted in this case is a reduction in the insurance premium paid periodically (Grace and Robert, 2003). Alternatively, an iterative risk management plan against drought will also be revised incase the weather forecast predicts adequate future rainfalls, and in this regard, the farmer may even scrap off the insurance against crop failure due to drought.

 

With regard to the banking industry; banks are always faced with credit risk that can eventually lead to bankruptcy and closure of the entire bank, which can as well affect the financial market and the economy at large (Hillson, 2007). It is for this reason that the central government through the central bank always implements measures such as the minimal capital requirement to protect against such risk. The establishment of the minimal capital requirement is usually determined by the prevailing economic situation. Grace and Robert 2003 state that during robust economic times, the minimal capital requirement is usually lowered, and during harsh economic times, the minimal capital requirement is usually increased so as to further cushion banks against credit risks. Banks also reflect this in their iterative risk management plan (Grace and Robert, 2003). For example, when the minimal capital requirement has been lowered the probability of occurrence as well as the impact of the severity of the risk, is usually lower and hence banks lessen the conditions of borrowing to their clients. However, when the prevailing economic condition is rather harsh, banks revise their iterative risk management plan by introducing tougher conditions for borrowing customers; this measure is undertaken so as to protect the banks against customer defaults on loans borrowed (Bollerslev et al. 2008).

 

2.5 Enterprise Risk Management

 

Referring to the studies conducted by Tysiac (2012), Committee of Sponsoring Organisations of the Treadway Commission (COSO) has been described as a voluntary organisation in the private sector that is predominant in the United States, which was established in 1985 to investigate and issue out recommendations on fraudulent corporate financial reporting. Its key mission is providing professional guidance to the management of enterprises and state authorities on vital functions pertaining to financial reporting, fraud, enterprise risk management, internal control, business ethics and organisational governance (BebchTaiwan, 2008). In respect of its mission, COSO has established an internal control framework that can be used as a reference point by government bodies and business organisations when conducting an assessment of their own internal systems.

 

In respect to enterprise risk management, COSO developed a model which can be applied by the management of an organisation when they are trying to assess and improve their enterprise risk management. In this model, Hopkin (2012) noted that risk has described as scenario or event that has potentially negative impact in the aforesaid enterprise. The severity of the risk can be either felt by the enterprise as a whole, the capital and human resources, services and products offered by the enterprise or the end-users of the enterprise products and/ or services. Moreover, the impact can even affect the external environment, market or the surrounding community (BebchTaiwan, 2008).

 

With regards to the banking industry, Nicholson et al. (2005) stated that enterprise risk management considers collective risk in this industry, which include operational risk, market risk, interest rate risk and credit risk. Consequently, the COSO enterprise risk management model prescribe that every identifiable risk can have a pre-established plan to tackle the possible consequences that may arise as a result of the risk occurring.

 

Alberts et al. (2008) noted that, in 2001, COSO devised an integrated framework for enterprise risk management after cases of numerous failures and business scandal of giant corporations, which heightened the advocacy for effective corporate governance and comprehensive risk management. These efforts led to the enactment of the Sarbanes-Oxley act that emphasised to public enterprises on the establishment of internal systems of control that are not only certified by the enterprise’s management but also an independent auditor who confirms the effectiveness of the internal control system (Hillson, 2007). The latest edition of the COSO enterprise risk management includes an integrated framework that is broader and seeks to ensure that the established internal control system that can provide reasonable assurance to the enterprise on compliance with relevant laws and regulations, reliability and validity of its financial reporting, efficiency and effectiveness of its operations and attainment of its overall mission and goals (Cooper, 2010).

 

Crockford (1986) stated that the enterprise risk management-integrated framework has eight key components that aim at addressing the ever increasing demand for risk management in enterprises. The components include;

• The internal environment, – this in the banking institutions sets the tone how risk is perceived, and the risk appetite.
• Objectives setting-this prescribe that the enterprise should first establish its main objectives before potential events can be identified as risks;
• Event identification- this component guide on risk identification both in the internal and external environment;
• Risk assessment- risks are assessed to determine the impact as well as the probability of occurring;
• Risk response-the management will devise appropriate measures and mitigation tactics so as to lower the impact or eliminate the chances of the risk occurring;
• Control activities-procedures and policies are developed and enforced so as to ensure the risk response achieve its objectives;
• Information and communication- the integrated framework prescribe for information to be identified and relayed to all concerned parties.
• The monitoring component in the integrative frameworks requires periodical appraisal of the risk response plan and modification to areas that are perceived outdated by events or ineffective.

 

It is beneficial to note that the COSO enterprise risk management-integrated framework totally relies on human judgment and, therefore, it is prone to human errors that can be as a result of bias and lack of informative information. However, the extent of human errors on the decision making process regarding risk management is minimized by the roles played by internal and external auditors who collectively assess the effectiveness of the control system establ.............